Harking back to the work of China-based APT10 group which specifically targeted Managed Service Providers (MSPs), these attacks are exploiting the victims’ digital supply chain. By exploiting as-a-service providers and their software, attackers are gaining a powerful foothold. Of course, the major state-sponsored attacks against SolarWinds and Microsoft in the last year are perhaps the high watermark for such attacks, but criminal groups like REvil are increasingly in on the action.
It is becoming increasingly hard for organisations to avoid supply chain attacks, but there are things that can be done – here are a few that SMEs should consider.
Be aware of digital supply chain risk
Firstly, organisations must know their risk exposure by cataloguing software and service providers that have remote access to their environment, or whose platforms are critical to business operations. Critical services providers should be asked about their key suppliers. As the Swedish grocery chain Coop found in recent days, exposure to supply chain risk, even one or two times removed, can still shut down a business – Coop didn’t use Kaseya software or services itself, but a key supplier did. To identify first order SaaS exposure, organisations can look at Cloud Access Security Broker solutions such as Netskope, which provides incredible visibility to the sanctioned and unsanctioned use of SaaS across an organisation.
Wargame your exposure
Often asking hard questions of your supply chain will return an immensely complicated picture and finding a solution can be overwhelming for SMEs. If that is the case, a next step can be to assume a compromise of these key systems and suppliers, then wargame your response and business continuity arrangements. This process can shine a light on opportunities to build resilience in the organisation. Risks can start to be managed by simply knowing what third-party software and remote access exists, what those systems can touch, and what arrangements the provider has for preventative security and post-breach business continuity can be critical.
Service provider access to a SME’s business environment is often necessary, but it’s critically important to ensure that access is strictly limited to what is required for the job at hand. The concept of ‘least privilege’ as it is called in IT security lingo applies as much to software as it does to administrators, and this can be achieved by ensuring software is locked down into compartments which if breached, limit the potential damage. IT management software like Kaseya and SolarWinds have, by-design, powerful high-level privileges, hence the importance of restricting them to segments required. Segmentation can require some serious architectural input, but it starts with a next generation firewall and is definitely worth the effort.
Assuming an attack does happen, organisations can significantly increase their chances of containment by preventing unapproved applications from executing. In the case of the REvil attacks, it’s more than likely that their Sodinokibi ransomware was the actual perpetrator of the encryption action. Locking down key systems with application control solutions will stop both the ransomware executables and a number of precursor applications attackers need to gain a foothold and steal data before encrypting it.
Managed Detection and Response
Next generation Enterprise Detection and Response solutions such as VMWare Carbon Black, especially if managed by a vigilant, always-on, Security Operations capability that constantly improves the detection policies, can significantly lower an organisation’s exposure to supply chain attacks. Slipstream’s managed detection and response services are dedicated to this task, constantly learning from our Incident Response practice and its exposure to REvil and many other attacks.